How to add security groups (without Entra roles) to the access token?

Question

I have a SignUpSignIn user flow. The app registration that is linked to the user flow has "groupMembershipClaims": "SecurityGroup" in its manifest.

As the documentation mentions, the groups claim will contain security groups and Microsoft Entra roles.

The value is quite misleading and gives the impression that with this config, we only get the security groups.

Is there a way to achieve this?

Or would the better solution be to not include the groups claim and instead have the application take the user object id and call Graph API (GET /users/{userid}/memberOf/microsoft.graph.group?$select=id)

Answer 1

Hi @Manuel T

Thank you for reaching us!

I understand that you are looking add security groups without Entra roles to the access token?

You’re correct that setting groupMembershipClaims to "SecurityGroup" includes both security groups and Microsoft Entra roles. Unfortunately, there’s no direct way to exclude Microsoft Entra roles using this property.

You can use GET /users/{userid}/memberOf/microsoft.graph.group?$select=id, When you use this endpoint, you will only get the groups that the user is a member of, excluding Microsoft Entra roles. This ensures that you receive only the security groups without any roles included.

Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.